[Thinlinc-technical] audit issue

vfh at swemel.ru vfh at swemel.ru
Fri Aug 1 14:06:27 CEST 2014


Hi there. I have a problem with thinlinc on audit enabled CentOS. Every
Xvnc process generate records like below very frequently:


type=CWD msg=audit(1406869742.166:10509503):  cwd="/home/vlad"
type=PATH msg=audit(1406869742.166:10509503): item=0
name="/proc/2663/cmdline" inode=2303429124 dev=00:03 mode=0100444
ouid=500 ogid=500 rdev=00:00
obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL
type=SYSCALL msg=audit(1406869742.171:10509504): arch=c000003e syscall=2
success=yes exit=31 a0=7fff7863e990 a1=0 a2=7fff7863e9a3 a3=0 items=1
ppid=2428 pid=2431 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=5 comm="Xvnc"
exe="/opt/thinlinc/libexec/Xvnc"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Monitored process is firefox,metacity, gpk-updatge-icon. So, Xvnc just
open cmdline in about 300 req/sec on system with two logged in users.
Linux audit subsystem have no ability to disable events fot rhis type of
record, due luck of ability to filter out subject path. Only one way now
- disable processing for entire /proc, but this is unacceptable. Is any
way to fix this strange activity?

-- 
vlad f halilov
swemel



More information about the Thinlinc-technical mailing list